<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>X509_STORE_CTX_set_verify_cb</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:" />
</head>

<body>



<ul id="index">
  <li><a href="#NAME">NAME</a></li>
  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
  <li><a href="#WARNINGS">WARNINGS</a></li>
  <li><a href="#NOTES">NOTES</a></li>
  <li><a href="#RETURN-VALUES">RETURN VALUES</a></li>
  <li><a href="#EXAMPLES">EXAMPLES</a></li>
  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
  <li><a href="#HISTORY">HISTORY</a></li>
  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
</ul>

<h1 id="NAME">NAME</h1>

<p>X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls, X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy, X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl, X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation, X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, X509_STORE_CTX_verify_cb - get and set verification callback</p>

<h1 id="SYNOPSIS">SYNOPSIS</h1>

<pre><code> <span class="comment">#include &lt;openssl/x509_vfy.h&gt;</span>
 
 <span class="variable">typedef</span> <span class="keyword">int</span> <span class="operator">(</span><span class="variable">*X509_STORE_CTX_verify_cb</span><span class="operator">)(</span><span class="keyword">int</span><span class="operator">,</span> <span class="variable">X509_STORE_CTX</span> <span class="operator">*);</span>
 
 <span class="variable">X509_STORE_CTX_verify_cb</span> <span class="variable">X509_STORE_CTX_get_verify_cb</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 
 <span class="variable">void</span> <span class="variable">X509_STORE_CTX_set_verify_cb</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">,</span>
                                   <span class="variable">X509_STORE_CTX_verify_cb</span> <span class="variable">verify_cb</span><span class="operator">);</span>
 
 <span class="variable">X509_STORE_CTX_get_issuer_fn</span> <span class="variable">X509_STORE_CTX_get_get_issuer</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_check_issued_fn</span> <span class="variable">X509_STORE_CTX_get_check_issued</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_check_revocation_fn</span> <span class="variable">X509_STORE_CTX_get_check_revocation</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_get_crl_fn</span> <span class="variable">X509_STORE_CTX_get_get_crl</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_check_crl_fn</span> <span class="variable">X509_STORE_CTX_get_check_crl</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_cert_crl_fn</span> <span class="variable">X509_STORE_CTX_get_cert_crl</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_check_policy_fn</span> <span class="variable">X509_STORE_CTX_get_check_policy</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_lookup_certs_fn</span> <span class="variable">X509_STORE_CTX_get_lookup_certs</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_lookup_crls_fn</span> <span class="variable">X509_STORE_CTX_get_lookup_crls</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
 <span class="variable">X509_STORE_CTX_cleanup_fn</span> <span class="variable">X509_STORE_CTX_get_cleanup</span><span class="operator">(</span><span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">);</span>
</code></pre>

<h1 id="DESCRIPTION">DESCRIPTION</h1>

<p>X509_STORE_CTX_set_verify_cb() sets the verification callback of <b>ctx</b> to <b>verify_cb</b> overwriting any existing callback.</p>

<p>The verification callback can be used to customise the operation of certificate verification, either by overriding error conditions or logging errors for debugging purposes.</p>

<p>However a verification callback is <b>not</b> essential and the default operation is often sufficient.</p>

<p>The <b>ok</b> parameter to the callback indicates the value the callback should return to retain the default behaviour. If it is zero then an error condition is indicated. If it is 1 then no error occurred. If the flag <b>X509_V_FLAG_NOTIFY_POLICY</b> is set then <b>ok</b> is set to 2 to indicate the policy checking is complete.</p>

<p>The <b>ctx</b> parameter to the callback is the <b>X509_STORE_CTX</b> structure that is performing the verification operation. A callback can examine this structure and receive additional information about the error, for example by calling X509_STORE_CTX_get_current_cert(). Additional application data can be passed to the callback via the <b>ex_data</b> mechanism.</p>

<p>X509_STORE_CTX_get_verify_cb() returns the value of the current callback for the specific <b>ctx</b>.</p>

<p>X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup() return the function pointers cached from the corresponding <b>X509_STORE</b>, please see <a href="../man3/X509_STORE_set_verify.html">X509_STORE_set_verify(3)</a> for more information.</p>

<h1 id="WARNINGS">WARNINGS</h1>

<p>In general a verification callback should <b>NOT</b> unconditionally return 1 in all circumstances because this will allow verification to succeed no matter what the error. This effectively removes all security from the application because <b>any</b> certificate (including untrusted generated ones) will be accepted.</p>

<h1 id="NOTES">NOTES</h1>

<p>The verification callback can be set and inherited from the parent structure performing the operation. In some cases (such as S/MIME verification) the <b>X509_STORE_CTX</b> structure is created and destroyed internally and the only way to set a custom verification callback is by inheriting it from the associated <b>X509_STORE</b>.</p>

<h1 id="RETURN-VALUES">RETURN VALUES</h1>

<p>X509_STORE_CTX_set_verify_cb() does not return a value.</p>

<h1 id="EXAMPLES">EXAMPLES</h1>

<p>Default callback operation:</p>

<pre><code> <span class="keyword">int</span> <span class="variable">verify_callback</span><span class="operator">(</span><span class="keyword">int</span> <span class="variable">ok</span><span class="operator">,</span> <span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">)</span> <span class="operator">{</span>
     <span class="keyword">return</span> <span class="variable">ok</span><span class="operator">;</span>
 <span class="operator">}</span>
</code></pre>

<p>Simple example, suppose a certificate in the chain is expired and we wish to continue after this error:</p>

<pre><code> <span class="keyword">int</span> <span class="variable">verify_callback</span><span class="operator">(</span><span class="keyword">int</span> <span class="variable">ok</span><span class="operator">,</span> <span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">)</span> <span class="operator">{</span>
     <span class="regex">/* Tolerate certificate expiration */</span>
     <span class="keyword">if</span> <span class="operator">(</span><span class="variable">X509_STORE_CTX_get_error</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">)</span> <span class="operator">==</span> <span class="variable">X509_V_ERR_CERT_HAS_EXPIRED</span><span class="operator">)</span>
         <span class="keyword">return</span> <span class="number">1</span><span class="operator">;</span>
     <span class="regex">/* Otherwise don't override */</span>
     <span class="keyword">return</span> <span class="variable">ok</span><span class="operator">;</span>
 <span class="operator">}</span>
</code></pre>

<p>More complex example, we don&#39;t wish to continue after <b>any</b> certificate has expired just one specific case:</p>

<pre><code> <span class="keyword">int</span> <span class="variable">verify_callback</span><span class="operator">(</span><span class="keyword">int</span> <span class="variable">ok</span><span class="operator">,</span> <span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">)</span>
 <span class="operator">{</span>
     <span class="keyword">int</span> <span class="variable">err</span> <span class="operator">=</span> <span class="variable">X509_STORE_CTX_get_error</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">);</span>
     <span class="variable">X509</span> <span class="variable">*err_cert</span> <span class="operator">=</span> <span class="variable">X509_STORE_CTX_get_current_cert</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">);</span>
 
     <span class="keyword">if</span> <span class="operator">(</span><span class="variable">err</span> <span class="operator">==</span> <span class="variable">X509_V_ERR_CERT_HAS_EXPIRED</span><span class="operator">)</span> <span class="operator">{</span>
         <span class="keyword">if</span> <span class="operator">(</span><span class="variable">check_is_acceptable_expired_cert</span><span class="operator">(</span><span class="variable">err_cert</span><span class="operator">)</span>
             <span class="keyword">return</span> <span class="number">1</span><span class="operator">;</span>
     <span class="operator">}</span>
     <span class="keyword">return</span> <span class="variable">ok</span><span class="operator">;</span>
 <span class="operator">}</span>
</code></pre>

<p>Full featured logging callback. In this case the <b>bio_err</b> is assumed to be a global logging <b>BIO</b>, an alternative would to store a BIO in <b>ctx</b> using <b>ex_data</b>.</p>

<pre><code> <span class="keyword">int</span> <span class="variable">verify_callback</span><span class="operator">(</span><span class="keyword">int</span> <span class="variable">ok</span><span class="operator">,</span> <span class="variable">X509_STORE_CTX</span> <span class="variable">*ctx</span><span class="operator">)</span>
 <span class="operator">{</span>
     <span class="variable">X509</span> <span class="variable">*err_cert</span><span class="operator">;</span>
     <span class="keyword">int</span> <span class="variable">err</span><span class="operator">,</span> <span class="variable">depth</span><span class="operator">;</span>
 
     <span class="variable">err_cert</span> <span class="operator">=</span> <span class="variable">X509_STORE_CTX_get_current_cert</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">);</span>
     <span class="variable">err</span> <span class="operator">=</span> <span class="variable">X509_STORE_CTX_get_error</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">);</span>
     <span class="variable">depth</span> <span class="operator">=</span> <span class="variable">X509_STORE_CTX_get_error_depth</span><span class="operator">(</span><span class="variable">ctx</span><span class="operator">);</span>
 
     <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"depth=%d "</span><span class="operator">,</span> <span class="variable">depth</span><span class="operator">);</span>
     <span class="keyword">if</span> <span class="operator">(</span><span class="variable">err_cert</span><span class="operator">)</span> <span class="operator">{</span>
         <span class="variable">X509_NAME_print_ex</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="variable">X509_get_subject_name</span><span class="operator">(</span><span class="variable">err_cert</span><span class="operator">),</span>
                            <span class="number">0</span><span class="operator">,</span> <span class="variable">XN_FLAG_ONELINE</span><span class="operator">);</span>
         <span class="variable">BIO_puts</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"\n"</span><span class="operator">);</span>
     <span class="operator">}</span>
     <span class="keyword">else</span>
         <span class="variable">BIO_puts</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"&lt;no cert&gt;\n"</span><span class="operator">);</span>
     <span class="keyword">if</span> <span class="operator">(!</span><span class="variable">ok</span><span class="operator">)</span>
         <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"verify error:num=%d:%s\n"</span><span class="operator">,</span> <span class="variable">err</span><span class="operator">,</span>
                    <span class="variable">X509_verify_cert_error_string</span><span class="operator">(</span><span class="variable">err</span><span class="operator">));</span>
     <span class="variable">switch</span> <span class="operator">(</span><span class="variable">err</span><span class="operator">)</span> <span class="operator">{</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT</span><span class="operator">:</span>
         <span class="variable">BIO_puts</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"issuer= "</span><span class="operator">);</span>
         <span class="variable">X509_NAME_print_ex</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="variable">X509_get_issuer_name</span><span class="operator">(</span><span class="variable">err_cert</span><span class="operator">),</span>
                            <span class="number">0</span><span class="operator">,</span> <span class="variable">XN_FLAG_ONELINE</span><span class="operator">);</span>
         <span class="variable">BIO_puts</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"\n"</span><span class="operator">);</span>
         <span class="keyword">break</span><span class="operator">;</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_CERT_NOT_YET_VALID</span><span class="operator">:</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD</span><span class="operator">:</span>
         <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"notBefore="</span><span class="operator">);</span>
         <span class="variable">ASN1_TIME_print</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="variable">X509_get_notBefore</span><span class="operator">(</span><span class="variable">err_cert</span><span class="operator">));</span>
         <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"\n"</span><span class="operator">);</span>
         <span class="keyword">break</span><span class="operator">;</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_CERT_HAS_EXPIRED</span><span class="operator">:</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD</span><span class="operator">:</span>
         <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"notAfter="</span><span class="operator">);</span>
         <span class="variable">ASN1_TIME_print</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="variable">X509_get_notAfter</span><span class="operator">(</span><span class="variable">err_cert</span><span class="operator">));</span>
         <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"\n"</span><span class="operator">);</span>
         <span class="keyword">break</span><span class="operator">;</span>
     <span class="variable">case</span> <span class="variable">X509_V_ERR_NO_EXPLICIT_POLICY</span><span class="operator">:</span>
         <span class="variable">policies_print</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="variable">ctx</span><span class="operator">);</span>
         <span class="keyword">break</span><span class="operator">;</span>
     <span class="operator">}</span>
     <span class="keyword">if</span> <span class="operator">(</span><span class="variable">err</span> <span class="operator">==</span> <span class="variable">X509_V_OK</span> <span class="operator">&amp;&amp;</span> <span class="variable">ok</span> <span class="operator">==</span> <span class="number">2</span><span class="operator">)</span>
         <span class="operator">/*</span> <span class="keyword">print</span> <span class="variable">out</span> <span class="variable">policies</span> <span class="operator">*/</span>
 
     <span class="variable">BIO_printf</span><span class="operator">(</span><span class="variable">bio_err</span><span class="operator">,</span> <span class="string">"verify return:%d\n"</span><span class="operator">,</span> <span class="variable">ok</span><span class="operator">);</span>
     <span class="keyword">return</span><span class="operator">(</span><span class="variable">ok</span><span class="operator">);</span>
 <span class="operator">}</span>
</code></pre>

<h1 id="SEE-ALSO">SEE ALSO</h1>

<p><a href="../man3/X509_STORE_CTX_get_error.html">X509_STORE_CTX_get_error(3)</a> <a href="../man3/X509_STORE_set_verify_cb_func.html">X509_STORE_set_verify_cb_func(3)</a> <a href="../man3/X509_STORE_CTX_get_ex_new_index.html">X509_STORE_CTX_get_ex_new_index(3)</a></p>

<h1 id="HISTORY">HISTORY</h1>

<p>The X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls() and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0.</p>

<h1 id="COPYRIGHT">COPYRIGHT</h1>

<p>Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.</p>

<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>


</body>

</html>


